Bug 2165142
| Summary: | KVM VM wont start when using hugepages as memoryBacking and SWTPM because avc: denied { unlink } | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jesus Alberto Gonzalez Vences <bjvences> |
| Component: | swtpm | Assignee: | Stefan Berger <stefanb> |
| Status: | ON_QA --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 37 | CC: | davide, dwalsh, lvrabec, marcandre.lureau, mmalik, omosnacek, pkoncity, stefanb, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hello, Do you happen to know which process created the file in question? Can you reproduce the issue with full auditing enabled? 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today (In reply to Zdenek Pytela from comment #1) > Hello, > > Do you happen to know which process created the file in question? > Can you reproduce the issue with full auditing enabled? > > 1) Open the /etc/audit/rules.d/audit.rules file in an editor. > 2) Remove the following line if it exists: > -a task,never > 3) Add the following line to the end of the file: > -w /etc/shadow -p w > 4) Restart the audit daemon: > # service auditd restart > 5) Re-run your scenario. > 6) Collect AVC denials: > # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today Hi, yes of course, here's the output: journalctl Jan 30 09:32:52 mawahost virtqemud[4009]: libvirt version: 8.6.0, package: 5.fc37 (Fedora Project, 2022-11-20-18:43:33, ) Jan 30 09:32:52 mawahost virtqemud[4009]: hostname: mawahost Jan 30 09:32:52 mawahost virtqemud[4009]: internal error: hugetlbfs filesystem is not mounted or disabled by administrator config ausearch type=PROCTITLE msg=audit(01/30/2023 09:32:52.092:300) : proctitle=/usr/bin/swtpm socket --ctrl type=unixio,path=/run/user/1000/libvirt/qemu/run/swtpm/1-win10-swtpm.sock,mode=0600 --tpmstate dir= type=PATH msg=audit(01/30/2023 09:32:52.092:300) : item=1 name=/run/user/1000/libvirt/qemu/run/swtpm/1-win10-swtpm.sock inode=243 dev=00:43 mode=socket,600 ouid=mawa ogid=mawa rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(01/30/2023 09:32:52.092:300) : item=0 name=/run/user/1000/libvirt/qemu/run/swtpm/ inode=239 dev=00:43 mode=dir,770 ouid=mawa ogid=mawa rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/30/2023 09:32:52.092:300) : cwd=/ type=SYSCALL msg=audit(01/30/2023 09:32:52.092:300) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x55894edf7f00 a1=0x0 a2=0x1 a3=0x8 items=2 ppid=2180 pid=4097 auid=mawa uid=mawa gid=mawa euid=mawa suid=mawa fsuid=mawa egid=mawa sgid=mawa fsgid=mawa tty=(none) ses=3 comm=swtpm exe=/usr/bin/swtpm subj=unconfined_u:unconfined_r:svirt_t:s0:c274,c740 key=(null) type=AVC msg=audit(01/30/2023 09:32:52.092:300) : avc: denied { unlink } for pid=4097 comm=swtpm name=1-win10-swtpm.sock dev="tmpfs" ino=243 scontext=unconfined_u:unconfined_r:svirt_t:s0:c274,c740 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 About which process created 1-win10-swtpm.sock it had to be swtpm This is a problem of swtpm's SElinux policy.
I was able to recreate the SELinux denial by adding a memoryBacking node to the libvirt domain XML:
<currentMemory unit='KiB'>2097152</currentMemory>
<memoryBacking>
<hugepages>
<page size='2048' unit='KiB'/>
</hugepages>
</memoryBacking>
<vcpu placement='static'>4</vcpu>
Even though the SELinux related error is gonve the VM does not start:
> virsh start testvm
error: Failed to start domain 'testvm'
error: internal error: hugetlbfs filesystem is not mounted or disabled by administrator config
The fix in swtpm's SELinux policy looks like this:
-allow svirt_t user_tmp_t:sock_file { create setattr };
+allow svirt_t user_tmp_t:sock_file { create setattr unlink };
If you have comments regarding this fix, please let me know here: https://github.com/stefanberger/swtpm/pull/813
FEDORA-2023-264d50ec35 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-264d50ec35 FEDORA-2023-264d50ec35 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-264d50ec35` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-264d50ec35 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. |
Description of problem: Version-Release number of selected component (if applicable): libvirt-8.6.0-5.fc37.x86_64 qemu-kvm-2:7.0.0-13.fc37.x86_64 selinux-policy-37.18-1.fc37.x86_64 How reproducible: Steps to Reproduce: 1. With a regular user define a new VM using Gnome Boxes 2. Update the XML definition to use SWTPM and hugepages as memoryBacking 3. Configure HugeTLB Huge Pages accordingly Actual results: VM wont start because: type=AVC msg=audit(1674832522.228:324): avc: denied { unlink } for pid=5359 comm="swtpm" name="4-win10-swtpm.sock" dev="tmpfs" ino=600 scontext=unconfined_u:unconfined_r:svirt_t:s0:c102,c906 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 Wich in turns end up being reported as: Jan 27 09:07:21 mawahost virtqemud[3733]: internal error: hugetlbfs filesystem is not mounted or disabled by administrator config Jan 27 09:07:21 mawahost virsh[4600]: 4600: error : virNetClientProgramDispatchError:172 : internal error: hugetlbfs filesystem is not mounted or disabled by administrator config Expected results: VM starts whitout problems and using the reserved hugepages configured Additional info: Yes, hugetlbfs IS mounted: Jan 27 09:02:17 mawahost systemd[1]: Mounting dev-hugepages.mount - Huge Pages File System... Jan 27 09:02:17 mawahost systemd[1]: Mounted dev-hugepages.mount - Huge Pages File System.